If you run a contact centre and you take payments on the phone you MUST comply with PCI-DSS guidelines to avoid fines and potential financial exposure.
Every credit or debit card transaction you process involves sensitive cardholder information that has to be stored and transmitted securely. With this in mind, card schemes such as Visa and MasterCard, require all merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS) to make sure both your business and customers are protected from the ever-present threat of card fraud.
What is PCI DSS compliance exactly?
In a nutshell, PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information for merchants no matter what their size or the number of transactions they process. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to control and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies all had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy, the PCI Data Security Standards (known as PCI DSS) to ensure a baseline level of protection for consumers and banks in the Internet era.
With regards to PCI compliance, it is paramount to note that it is the responsibility of the business owner to ensure that cardholder information is thoroughly protected. If cardholder data is stolen, and you haven’t shown yourself to be PCI DSS compliant, you could face a number of consequences ranging from losing the ability to accept card payments, fines and penalties, loss of confidence from customer base and higher subsequent costs of compliance – all of which could ultimately lead to huge brand damage and even put you out of business.
How difficult is it to obtain PCI DSS compliance?
With that in mind, however difficult it may seem to become PCI compliant, the risks of not being compliant are far more impactful to your contact centre than you may anticipate.
Barring the financial penalties, the reasons you should pursue PCI compliance are twofold.
Firstly, it gives financial institutions confidence in your business as one that protects the public’s data, which increases public confidence in the reputations of the financial institutions and your business.
Secondly, it is because the loss of credibility and trust that would follow a security breach would be immensely damaging for your contact centre at every level. Putting customers’ credit at risk causes them long-term problems, and they may choose to spend their money with other, more secure, businesses. The leaking of their data also causes reputational damage to the financial institutions involved, which is why they are keen to ensure data is in safe hands and dealt with responsibly.
There are over 1,800 pages of official documentation, published by the PCI Council, about PCI DSS, and over 300 pages just to understand which forms to use when validating compliance. So, when dealing with PCI DSS requirements, you can either go through the process yourself or get help from a PCI SSC Qualified Security Assessor (QSA) who will do most of the work for you.
Here are the 5 steps you have to go through in order to gain PCI DSS compliance.
Step 1: Determine Your Compliance “Level”
The first thing you need to do is to figure out which “level” of compliance your business falls under. In order to do that that you need to collect data on how many transactions are done with all the major credit card brands, ideally separated also by channel, e.g. in-store or online.
There are four levels of compliance standards, which are determined by the number of transactions your organization processes per year:
- · Level 1: Merchants processing over 6 million card transactions per year.
- · Level 2: Merchants processing 1 to 6 million transactions per year.
- · Level 3: Merchants handling 20,000 to 1 million transactions per year.
- · Level 4: Merchants handling fewer than 20,000 transactions per year.
If your organization is at PCI compliance level 2, 3, or 4, your validation requirements are basically the same and include:
- · Yearly self-assessment using the PCI SSC SAQ
- · Quarterly network scans by an approved scanning vendor
- · Attestation of compliance form and submitted documentation
Since PCI level 1 compliance involves the highest number of annual transactions, you must also enlist a Qualified Security Assessor (QSA) to complete an Annual Report on Compliance (ROC), in addition to a quarterly network scan and attestation of compliance.
Step 2: Follow the Self-Assessment Questionnaire
The PCI DSS Self-Assessment Questionnaire (SAQ) is a set of documents that contain questions based on the requirements of the PCI DSS.
In total, there are 12 requirements for compliance that are organised into six logically related groups. You can refer to our article here for more details on these. [insert link]
Each of the 12 high-level requirements may also have some additional sub-requirements.
In total there are 9 different variations of the SAQ. But you only need to comply with the specific SAQ that corresponds to your setup. To make your life easier, contact your payments provider to find out which version of the SAQ (A or A-EP) you can or should use.
Step 3: Complete Your Attestation of Compliance
After answering the SAQ, you will need to complete the relevant Attestation of Compliance (AOC). This is necessary to validate that you have complied with all the applicable steps.
Like the SAQ before, AOC has 9 different versions (and you only need to complete the one that is relevant to your business).
Additionally, in extraordinary cases, merchants might be asked to also fill “PCI DSS Designated Entities Supplemental Validation.”
Examples of organizations that would need this include those storing, processing, or transmitting very large volumes of cardholder data; or businesses that have suffered significant or repeated breaches of cardholder data.
Step 4: Enlist an ASV for External Vulnerability Scans
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools (ASV scan solutions) that conduct external vulnerability scanning services to validate adherence with the external scanning requirements.
Step 5: Submit the Documents to Your Acquirer Bank & Card Brands
The final step is to submit your filled SAQ and the AOC along with any other documentation, such as an ASV scan reports (see below for more details) to your acquirer bank and to the relevant credit card and other payment brands as requested.
Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Assessing and validating PCI compliance usually happens once a year, but PCI compliance is not a one-time event — it is a continuous and substantial effort of assessment and remediation. As a company grows so will the core business logic and processes, which means compliance requirements will evolve as well. If anything new involves payment card data, it is a good idea to proactively check whether this has any impact on your PCI validation method, and re-validate PCI compliance as necessary.